Description:
quoting http://securityvulns.com/Sdocument794.html

"
From:     Luigi Auriemma <aluigi_(at)_autistici.org>
Date:     04.01.2008
Subject:  Pre-auth buffer-overflow in mySQL through yaSSL

The following is a proof-of-concept for testing the buffer-overflow
which affects yaSSL <= 1.7.5 on mySQL servers, any version, included the
latest 6.0.3:

 http://aluigi.org/poc/mysqlo.zip

The vulnerability is exploitable before authentication so the only
requirements for testing it are the usage of SSL on the server and
naturally having an IP address with access to the database.

By default mySQL uses yaSSL (1.6.0) for avoiding licences conflicts,
anyway if the test server has been compiled with specific OpenSSL
support it is NOT vulnerable.

---
Luigi Auriemma
http://aluigi.org
"

How to repeat:
see http://aluigi.org/poc/mysqlo.zip

according to http://dev.mysql.com/tech-resources/articles/security_vulnerabilities.html

it's Severity A.
Exploitable, unauthenticated user gains access or crashes the server.
Perhaps exploitable, arbitrary code execution.

all three attacks work

CVE-2008-0226

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/40904

ChangeSet@1.2504, 2008-01-11 12:34:12+01:00, serg@janus.mylan +4 -0
  Bug#33814 - yassl problems

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/40907

ChangeSet@1.2490, 2008-01-11 13:20:03+01:00, serg@janus.mylan +3 -0
  Bug#33814 - yassl problems

pushed into 5.0.54a, 5.1.23, 6.0.4-alpha

reported and fixed upstream:
http://sourceforge.net/forum/message.php?msg_id=4715728

What is the actual effect of this problem? It can be exploited to perform remote code
execution, or crash the server?

It's actually three independent vulnerabilities in the yassl code. At least one of them is
likely to allow remote code execution without prior authentication. The minimum impact is
a crash, again without authentication. 

On the upside, it only affects people that a) use SSL and b) run their mysqld instances
accessible from outside.

Noted in 5.0.54a, 5.1.23, 6.0.4 changelogs.

yaSSL was subject to a pre-authentication buffer-overflow exploit
that could lead to remote code execution or a server crash. The
exploit requires a server with yaSSL enabled and TCP/IP connections
enabled. The exploit does not apply to OpenSSL.

The patch for this bug does not appear to address CVE-2008-0227

it does fix CVE-2008-0227 too

below is the text I suggested for the alert (not necessarily the one that was finally
used):

Recently three vulnerabilities in yassl were discovered, they could lead
to crash or execution of unauthorized code. MySQL is affected too, when
it's built with yassl (not OpenSSL) and SSL is enabled in the server
(HAVE_SSL variable is "YES"). There is no need to have valid MySQL
account credentials to exploit the bug. The proof-of-concept exploit is
freely available in the Internet. These vulnerabilities are fixed in
MySQL 5.0.54a, 5.1.23, 6.0.4. Everybody with a vulnerable configuration
is recommended to upgrade *immediately*.

It lacks cve references, though.

Noted in 5.0.50sp1a, 5.0.54a, 5.1.23, 6.0.4 changelogs.

Three vulnerabilities in yaSSL versions 1.7.5 and earlier were
discovered that could lead to a server crash or execution of
unauthorized code. The exploit requires a server with yaSSL enabled
and TCP/IP connections enabled, but does not require valid MySQL
account credentials. The exploit does not apply to OpenSSL.

The proof-of-concept exploit is freely available on the Internet.
Everyone with a vulnerable MySQL configuration is advised to upgrade
immediately.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41199

ChangeSet@1.2658, 2008-01-24 12:08:04+01:00, tomas@whalegate.ndb.mysql.com +3 -0
  Bug#33814 - yassl problems
  (recommit)

Just for the record:

This fix is also contained in 5.0.51a
(which is not checked by the commit trigger, so there is no automatic entry about that).

Pushed into 5.1.24-rc

Pushed into 6.0.5-alpha

Pushed into 5.1.24-rc

Pushed into 5.0.58

Pushed into 6.0.5-alpha

Pushed into 5.0.82 (revid:chad@mysql.com-20090506130632-s1cl4ygdj9rt2rrz) (version source
revid:chad@mysql.com-20090506130632-s1cl4ygdj9rt2rrz) (merge vers: 5.0.82) (pib:6)

Pushed into 5.1.36 (revid:joro@sun.com-20090528073639-yohsb4q1jzg7ycws) (version source
revid:jimw@mysql.com-20090515174051-ndjvfd1e9hc9k9c3) (merge vers: 5.1.36) (pib:6)

Pushed into 5.4.4-alpha (revid:alik@sun.com-20090616183122-chjzbaa30qopdra9) (version
source revid:joro@sun.com-20090515134506-5mq3a8fafgbkx6u1) (merge vers: 6.0.12-alpha)
(pib:11)

Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l)
(version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers:
5.1.37-ndb-7.0.8) (pib:11)

Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc)
(version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers:
5.1.37-ndb-6.3.27) (pib:11)

Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4)
(version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers:
5.1.37-ndb-6.2.19) (pib:11)

Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr)
(version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers:
5.1.37-ndb-7.0.8) (pib:11)